(If this is not allowed… please delete.)
Maybe this can help some others who are cleaning up after this July 23 wave of attacks.
As stated… you need to update your router OS as stated in the change log. Updated RouterOS
Then adjust the last line of this script..
The last line… change “admin” to your logged in user name.
Then change “somethingnew” to whatever password you want to use.
Then it will be ready for copy paste into terminal.
### Find the port that socks is using, and make it a global variable ###
:global socker [/ip sock get port]
### Remove the firewall entry allowing socks ###
/ip firewall filter remove [find dst-port=$socker]
### Remove the Global Variable that was used to ID that socks firewall rule ###
/system script environment remove [find name=socker]
### Disable Socks ###
/ip socks set enabled=no
### Remove the Schedules I have seen so far ###
/system scheduler remove [find name="a"]
/system scheduler remove [find name="schedule3_"]
### Remove the Scripts fired by the schedulers ###
/system script remove [find name="ip"]
/system script remove [find name="script3_"]
### Remove the file it was downloading ###
/file remove mikrotik.php
### Remove the "service" User that was added ###
/user remove [find name=service]
### Set you password ###
/user set admin password=somethingnew
I have seen some routers with all drop rules disabled… look over your firewall and correct as needed. But maybe this can save you some time.
(If anyone else has an entry that should go here… we could add it?)